Bug 251041

Summary: Squid cannot start NTLM auth helpers due to SELinux policy
Product: [Fedora] Fedora Reporter: Leonid Zeitlin <lz>
Component: squidAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-12 23:02:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Leonid Zeitlin 2007-08-06 18:12:21 UTC 
Description of problem:
When Squid is configured to use NTLM authentication it starts a number of 
ntlm_auth helper processes (the helpers themselves are part of samba-common 
package). However, SELinux policy prevents the helpers from functioning. As the 
result the helpers exist, and so does Squid.

Version-Release number of selected component (if applicable):
squid-2.6.STABLE13-1.fc7
samba-common-3.0.25b-2.fc7
selinux-policy-2.6.4-30.fc7
selinux-policy-targeted-2.6.4-30.fc7


How reproducible:
Aleays

Steps to Reproduce:
1. Configure squid to use NTLM authentication. Have the following in squid.conf:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on

The only essential line is the first one.

2. Configure Samba and join your computer to an Active Directory domain. Start 
smbd, nmbd and winbind.

3. Start squid
  
Actual results:
After a few secods squid exits abormally. 

In /var/log/squid/cache.log:

2007/08/06 21:08:28| WARNING: ntlmauthenticator #9 (FD 14) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #8 (FD 13) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #7 (FD 12) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #6 (FD 11) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #5 (FD 10) exited
2007/08/06 21:08:28| Too few ntlmauthenticator processes are running
FATAL: The ntlmauthenticator helpers are crashing too rapidly, need help!

Squid Cache (Version 2.6.STABLE13): Terminated abnormally.

In /var/log/audit/audit.log:

type=AVC msg=audit(1186423708.180:117122): avc:  denied  { read write } for  pid
=27642 comm="ntlm_auth" name="[22993981]" dev=sockfs ino=22993981 scontext=root:
system_r:winbind_helper_t:s0 tcontext=root:system_r:squid_t:s0 tclass=unix_strea
m_socket

Expected results:
Squid starts normally and uses NTLM authentication

Additional info:
Audit2allow reports that the following rule is needed:

allow winbind_helper_t squid_t:unix_stream_socket { read write };
Comment 1 Daniel Walsh 2007-08-06 22:53:37 UTC 
Fixed in selinux-policy-2.6.4-34
Comment 2 Leonid Zeitlin 2007-08-07 09:14:13 UTC 
Please pardon an ignorant question, but where can I find version 2.6.4-34? 
Can't seem to find it in updates or even CVS. Thanks.
Comment 3 Daniel Walsh 2007-08-07 13:28:34 UTC 
I have just submitted it for build.  I am trying to only release on a weekly
basis.  So it should go to Fedora Testing on Friday.
Comment 4 Leonid Zeitlin 2007-08-14 17:54:13 UTC 
Confirm that selinux-policy-2.6.4-35 from testing solves the problem. Thanks!
Comment 5 Leonid Zeitlin 2007-10-09 09:43:37 UTC 
While the issue is fixed as of selinux-policy-2.6.4-35, now my audit log is 
full of these messages:

type=AVC msg=audit(1191922803.673:467268): avc:  denied  { create } for  pid=150
84 comm="ntlm_auth" scontext=root:system_r:winbind_helper_t:s0 tcontext=root:sys
tem_r:winbind_helper_t:s0 tclass=udp_socket

I wonder of these should be allowed, or else not audited.
Comment 6 Daniel Walsh 2007-10-09 14:46:34 UTC 
Looks like winbind_helper might be talking to dns?

In Rawhide I allow this so I guess I will back port to FC7.
Added in selinux-policy-2.6.4-48
Comment 7 Leonid Zeitlin 2007-10-18 08:53:03 UTC 
With selinux-policy-2.6.4-48 the denials above are gone, thank you. However, 
when squid starts, a few denials are still logged:

type=AVC msg=audit(1192697265.873:16787): avc:  denied  { read } for  pid=7454 c
omm="ntlm_auth" name="host.conf" dev=dm-3 ino=66420761 scontext=root:system_r:wi
nbind_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

type=AVC msg=audit(1192697265.873:16786): avc:  denied  { read } for  pid=7454 c
omm="ntlm_auth" name="nsswitch.conf" dev=dm-3 ino=66420786 scontext=root:system_
r:winbind_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

type=AVC msg=audit(1192697162.366:16783): avc:  denied  { getattr } for  pid=746
1 comm="ntlm_auth" name="[3631756]" dev=sockfs ino=3631756 scontext=root:system_
r:winbind_helper_t:s0 tcontext=root:system_r:squid_t:s0 tclass=unix_stream_socke
t
Comment 8 Daniel Walsh 2007-10-18 21:07:42 UTC 
Fixed selinux-policy-2.6.4-49
Comment 9 Leonid Zeitlin 2007-11-09 17:51:25 UTC 
Confirm that selinux-policy-2.6.4-49 fixes the denials on startup. I think the 
issue can be closed.